Our IT services firm is proposing a network reconfiguration to use the IP range 10.10.150.1 – 10.10.150.254 internally as they state the current IP scheme using manufacturer defaults of 192.168.1.x is "making it to easy to exploit".

Is this true? How does knowing / not knowing the internal IP scheme make a network more exploitable? All internal systems are behind a SonicWall NAT and firewall router.

If you don't have an NDA with the IT services company, can you name and shame them? Then everyone here can avoid them due to their lack of clue and a desire to create billable work that achieves nothing
–
gooJun 30 '09 at 19:44

16 Answers
16

This will add at best a very thin layer of "security by obscurity", as 192.168.x.y is a way more commonly used network address for private networks, but in order to use the internal addresses, bad boys have to be already inside your network, and only the most stupid attack tools will be fooled by the "non standard" address scheme.

It cost nearly nothing to implement this, and it offers nearly nothing in return.

+1 for "costs nothing offers nearly nothing". I'd question whether or not such a change might not be more of a pain in the a$$ than its worth but if you're REALLY, REALLY concerned... go ahead and use a non-standard IP range. Just be sure to change your default router passwords and ports... because otherwise its just embarrassing. grin
–
KPWINCJun 30 '09 at 17:45

23

Depending on the size of your network, I'd argue that the cost is much greater than nothing. If you really want to bake the consultants noodle, tell him that you believe that predictability is a foundation of information security, and implementing this change will make the network less secure because it will require you to alter many access control lists and other technical security controls.
–
dr.pooterJun 30 '09 at 18:03

1

I agree with dr.pooter on this one. This is a very large change to your infrastructure, with damn near no real benefit. For a medium sized environment and higher, the logistics (and risks) of this are ulcer invoking.
–
Scott PackJun 30 '09 at 18:06

1

Another agreement. The change only "costs nothing" on a completely DHCP network that requires no static IP addresses (usually means no servers on the network). It costs headaches and lots of time otherwise.
–
Joshua NurczykJun 30 '09 at 18:15

1

+1 Agreed. I would be wary of anyone who goes to lengths to implement something for the sole purpose of security by obscurity.
–
squillmanJun 30 '09 at 18:26

Aside from the fact that many consumer appliances use the 192.168.x.x address space (which can be exploited, like anything else), I don't feel that really changes the security landscape of a corporate network. Things inside are locked down, or they aren't.

Keep your machines/devices on current software/firmware, follow best practices for network security, and you'll be in good shape.

+1 - Perhaps next the burglar alarm company will suggest that you try and paint the exterior of the building in camouflage colors to ward off burglars! Security through absurdity...
–
Evan AndersonJun 30 '09 at 18:58

The only legit reason I can think of to stay away from the 192.168.0.x or 192.168.1.x subnets are due to the likely hood of having overlapping subnets with vpn clients. This is not impossible to work around but does add some complication to setting vpn's up and diagnosing issues.

As another person said, only good reason to change from 192.168.1.x is if you are using VPN from home routers on the client side. It's the reason every network I administer has a different subnet because I and my client machines do VPN.

My guess would be that some drive-by router exploit scripts are hardcoded to go looking at the standard homerouter address. So their response is "security through obscurity"... except it's not obscure because depending on how the script works, it probably has access to the gateway address.

Anyway, their reasoning might be as follows: assume, that the 192.168.x.0/24 range is used more commonly. Then, perhaps, the next assumption will be, that, were there a piece of malicious software on one of the PCs it would scan the 192.168.x.0/24 range for active computers. Disregard the fact, that it would probably use some Windows built-in mechanism for network discovery.

Manufacturer defaults are always more exploitable as they are the first options that will be attempted, but the 10 range is also a very well known private range, and - if 192.168 doesn't work - will be the next one tried. I'd call "bull" on them.

Both ranges are "private" addresses and equally well known. Get someone else to look after your IT.

Knowing which address range you use internally is of absolutely no advantage. Once someone has access to your internal network they can see what addresses you use. Up to that point it's a level playing field.

I am not a network guy...but as a Linux person, I don't see how that would make any difference. Swapping one internal Class C to another doesn't really do anything. If you are on the network, you will still get the same access regardless of what the IP addresses are.

There may be a tiny difference from the perspective of people who don't know what they are doing bringing in their own wireless routers that would default to 192.168.0/32. But it is really no more secure.

Many of today's threats come from inside through careless users executing malware. Although it may not offer much protection, I wouldn't completely dismiss it as urban legend.

It would be called security through obscurity if the protection relied on the obscurity alone (like putting secret document on a public web server with "random" folder name), this clearly is not the case.

Some scripts may be hardcoded to scan 192.168.1.x range and spread its own copy. Another practical reason is that home routers are typically configured with that range, so it may conflict when you set up vpn from the home machines, sometimes causing accidents.

If an attacker is in position to compromise your internal network, they're in position to know your IP range.

It's sort of like this: If the only protection you're using is your IP address range, I can plug an unconfigured machine into the switch and learn your network configuration in a couple of seconds, just by ARP requests. This is essentially busywork if the only reason behind it is "security".